Security Alert
Jonathan Crowe
Nov 2018

Alert: Emotet is Back with Major Spam Campaign, Email Exfiltration Module


After a brief break, the criminals behind Emotet have launched yet another a large malspam campaign, this time distributing an updated version of the trojan with email exfiltration capabilities. Here's what you need to know.

Key Details

  • What's happening: A major new Emotet malspam campaign is now underway. It is primarily distributing malicious Microsoft Word document attachments disguised as invoices or payroll reports, though a few PDFs have been spotted, too.
  • What is Emotet and why is it dangerous? Emotet is a trojan that primarily serves as a downloader for other trojans (TrickBot, Zeus Panda Banker, IcedID, etc.) as well as ransomware. Thanks to a potent combination of persistence and self-propagation mechanisms Emotet infections can spread quickly and are notoriously difficult to remove. In addition to becoming one of the most active threats of 2018, US-CERT has referred to Emotet as "among the most costly and destructive malware" affecting organizations today.
  • New capability to exfiltrate victims' emails makes infections high data breach risks: Harvesting victim email account credentials and contact lists has been part of the Emotet infection routine for some time, but a new module takes things a step further by harvesting entire email contents stretching back 180 days. Not only does that ratchet up the risk of losing sensitive information, it also means many victims will be required to initiate data breach notification protocols. In addition to infecting new victims with the module, attackers are also installing it on previously infected machines they still have access to.
  • What to do: Since the Word documents distributed in this campaign require users to enable macros admins should adjust Office settings to restrict or disable that option altogether. In addition, researcher Joseph Roosen has published a list of IP addresses the campaign is using that admins can block with their firewall.
  • Think you may be infected with Emotet? Follow the tips in our Emotet Survival Guide to identify, isolate, and remove infections.
  • Barkly customers: You are protected. Barkly blocks Emotet payloads as well as the malicious Word documents used to distribute the trojan. See Barkly stop an attempted Emotet infection in its tracks.
  • empty
  • empty

Due to the surge of Emotet activity and requests for assistance, we're providing more information on how to stop infections and how Barkly can help.
Get the details

New Emotet malspam campaign in flight 

Following a four week lull one of 2018's most active malware operations is at it again, distributing a flurry of malspam emails under a variety of disguises. The majority of emails are carrying Word document attachments, though a PDF attachment linking to a hosted Word document has been spotted, as well. 

The attachments are employing a variety of disguises that fall under typical malspam themes — fake invoices, payment notifications, payroll reports, IRS correspondence, etc. 

Fake invoice:

Fake payment notice: Fake payroll report: Fake IRS documents:

Upon opening the Word documents, recipients are instructed to enable macros, which in turn triggers code to retrieve and launch the Emotet payload using cmd.exe and PowerShell. 

Whereas previous Emotet campaigns have experimented with slightly more advanced macro obfuscation techniques, this time around the macros appear to be simply base64 encoded.  

Once installed on a machine, Emotet's primary goals are to gain persistence and spread throughout the compromised organization's network, establishing as many footholds as possible before downloading subsequent attack modules and payloads.

Some of the most common second-stage payloads have included banking trojans such as TrickBot, Zeus Panda Banker, and IcedID. But there have also been several high-profile cases where Emotet infections have resulted in ransomware being dropped, including an incident at a water utility in a North Carolina county that was still actively recovering from Hurricane Florence.   

Currently, the second-stage payloads this campaign appears to be dropping are TrickBot and IcedID.

Dropped TrickBot samples can be found here and here.

In addition to serving as a downloader, Emotet also actively scrapes victim machines for credentials and information it can further utilize/monetize. It has targeted email accounts, specifically, harvesting credentials as well as names and email addresses from the victim's inbox and sent folder. This information is then used to power subsequent spam campaigns, in many cases spoofing or even hijacking victim email accounts to make it appear as though the message is being sent by a contact the recipient knows and has emailed with in the past.

Thanks to a new update, however, Emotet can now go even further, scraping the subject lines and entire contents of emails and exfiltrating them back to attacker-controlled servers. 

New Emotet module capable of exfiltrating 180-days worth of sent/received emails 

As explained by researchers at Kryptos Logic, Emotet's new module builds on prior capability that allowed the trojan to abuse the Outlook Messaging API to harvest names and email addresses from both sent and received messages. It can now harvest entire bodies of emails along with subject lines. This can apply to any email sent or received from the victim from the past 180 days. 


How Emotet harvests emails. Source: Kryptos Logic 

The purpose of exfiltrating full emails remains unclear, though some researchers theorize attackers may be able to utilize them to craft more convincing and context-rich spear phishing emails. 

Extortion and espionage are also possible motives, though it's difficult to imagine that being the case for anything other than highly selective, targeted attacks (think selling access to or threatening to publicly release copies of private emails stolen from a political campaign). 

Warning: New module is being pushed to previously infected victims

Whatever the ultimate goal might be, it's important to underscore the email exfiltrating module poses a serious risk to both new victims and previous victims of Emotet, alike. That's because it's being actively pushed to all previously infected machines that attackers still have access to. 

That means if your organization has been infected with Emotet in the past, any machines that remain compromised may begin seeing emails harvested and uploaded to attacker-controlled servers. 

The reason the addition of the new email exfiltration capability is a big deal is it requires companies to treat Emotet infections as data breaches. For many organizations, that means notifying those affected. For those in regulated industries such as healthcare and government, it means disclosing the breach publicly. 

Protecting your organization

Due to the danger of email exfiltration, credential theft, and network-wide spread, companies are highly encouraged to take active steps to prevent infections in the first place.

  1. Block known IP addresses associated with the campaign: Researcher Joseph Roosen has provided a list here

  2. Adjust Microsoft Office settings to restrict/disable macros: The Word document attachments used in this campaign require users to enable macros to launch code that retrieves the Emotet payload. If you haven't already, follow Microsoft's guidance here to restrict macros or disable them altogether. 

  3. Advise users to be wary of Word document email attachments, even from senders they know: Emotet's email harvesting and spam modules allow attackers to send spam messages to victim contacts, sometimes directly from or spoofing the victim's account. For that reason, it's not enough to tell users not to open attachments from senders they don't know or trust.

  4. Don't count on antivirus to be effective:  Emotet is polymorphic, meaning each time a payload is spawned it's a new, modified mutation of previous samples. As many organizations are unfortunately witnessing firsthand, that makes it difficult for antivirus programs to successfully detect and block these infections.  

  5. Consider restricting inbound SMB communication between client systems: That can help take away a primary path infections use to propagate, though it may also obstruct access to shared files or data. If appropriate for your organization, you can find example policy rules for restricting SMB access here and here

  6. Implement account lockout policies: This will help mitigate attempts to brute force access to other accounts and machines on the network in the case of an infection.

  7. Implement DMARC to prevent email spoofing: You can find a walkthrough for configuring SPF, DMARC, and DKIM here.

  8. Protect your endpoints with stronger security software: With antivirus missing an estimated 57% of attacks, organizations are looking to new solutions to fill the gap. 

How Barkly can help 

Barkly utilizes unique layers of protection to block Emotet infections before they start. 

  • Machine-learning-powered file analysis blocks Emotet payloads regardless of whether they're new samples or polymorphic variations. Case in point: Barkly blocks the latest campaign payloads with no update required. 

  • Behavior-based analysis prevents malicious Office documents from retrieving the Emotet payload to begin with. 


Barkly blocks a malicious Word doc from retrieving the new Emotet payload

Barkly prevents companies from getting infected with Emotet in the first place, but it can also help businesses battling with active infections by streamlining the incident response process. Specifically, deploying Barkly in a compromised network will help admins accomplish the following:

  • Ensure all payloads are blocked while you focus on remediation
  • Isolate compromised endpoints with one click (even from your phone)



Think you're infected with Emotet? Here's what to do.

Possible 4-week pattern in Emotet activity 

Emotet campaigns have been periodically ramping up all year, and researchers now believe they've spotted a clear pattern. 

This allowed several researchers to accurately predict this week's new campaign, and it could potentially allow companies to brace themselves and better prepare if the pattern continues to hold. 

Regardless, one thing appears certain — Emotet continues to be an active and consistently updated threat that shows no sign of disappearing any time soon.  

Don't be the last to know about new attack campaigns. Subscribe to the blog to receive the latest updates on Emotet and other emerging threats.   

Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical perspective.


Emotet Survival Handbook

How to deal with active infections and protect your company from 2018's most prevalent threat.

Look inside


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.